Cross-Origin Resource Sharing

Configure CORS to prevent unauthorized browser requests.

[cors] allow_credentials = false allow_origins = "https://app.grafbase.com" max_age = "60s" allow_methods = ["GET", "POST"] allow_headers = "Content-Type" expose_headers = ["Access-Control-Allow-Origin"] allow_private_network = false
  • allow_credentials: Enables or disables credential sending. Defaults to false.
  • allow_origins: Allowed domains, one or multiple domains in a list. A Glob pattern can also be used. To accept any domain, use "*". Defaults to no domains if CORS is enabled.
  • max_age (duration): Duration for caching preflight OPTIONS request results. Default: none.
  • allow_methods: One or multiple allowed HTTP methods. To accept any method, use "*". Defaults to none if CORS is enabled.
  • allow_headers: One or multiple allowed headers. To accept any header, use "*". Defaults to no headers if CORS is enabled.
  • expose_headers: Headers a preflight request can return to the client. Default: no headers if CORS is enabled.
  • allow_private_network: Allows private network requests. Defaults to false.

The supported glob patterns for allow_origins are:

  • * matches zero or more characters.
  • ? matches any single character.
  • [ab] matches one of the characters contained in the brackets. Use [!ab] to match any character except a and b.
  • {p1,p2} matches either pattern p1 or p2.

For example *.example.com will match all sub-domains of example.com.